Difference between revisions of "Linux Security"

From Manjaro Linux
Jump to: navigation, search
(Groups)
(Generalize and merge articles)
Line 1: Line 1:
== Users ==
+
__TOC__
Linux is a system build for networked multi user environments where access control is a vital part of the infrastructure.
+
  
As such any Linux based system requires users to be identified by username and access credentials. A more thorough explanation of users and groups is available at the [[Users_%26_Groups|Users & Groups]] page.
 
  
The toplevel user is '''root''' and is the most important user to protect from abuse or malicious usage.
+
=Overview=
  
If your '''root''' user is compromised you might as well restore your system either through reinstall or restore from an uncompromized backup.
+
System security is a complicated topic that individuals study for many years. It would be impractical to impart even a fraction of that knowledge in a Wiki article.  What this page will attempt to do is provide a primer in the most basic elements of Linux security and identify common pitfalls for beginners
  
A '''superuser''' account is equal problematic if not protected.
 
  
 +
=Users=
  
== Groups ==
+
User accounts are used to log into the system and provide one of the basic building blocks for permissions.  You could loosely categorize users into a few categories:
 +
* Regular user accounts like the one created for you during install.
 +
* Accounts used to run specific processes.  These users are often named after the service they run.  For example the {{ic|dbus}} users is user to run the master dbus process.
 +
* The {{ic|root}} account.
 +
 
 +
 
 +
The root account is an administrator or superuser account.  This account to everything in the system and be used with extreme care.  In most cases, it shouldn't be used at all.  Instead use {{ic|sudo}}.
 +
 
 +
 
 +
=sudo=
 +
 
 +
The command {{ic|sudo}} lets you run a command as the root user without actually switching to the root user.  In many cases this is safer than using the root user directly as only a single command is being run as root.  For example, your normal user account would not be able the file {{ic|/etc/fstab}} because it is owned by root.  However, you can edit it with sudo like this:
 +
sudo nano /etc/fstab
 +
 
 +
 
 +
When you run this command, you will be asked for a password, this will be the password of your normal user account.  For more information about editing configuration files owned as root see [[Viewing_and_editing_configuration_files|this article on configuration files]
 +
 
 +
 
 +
==sudo vs su==
 +
 
 +
While {{ic|sudo}} and {{ic|su}} look similar and both involve root access they are very different.  {{ic|sudo}} runs a single command as another user and requests the password of your normal user account.  {{ic|su}} lets you *become* root and requests the password of the root user.  In general, it is usually safer to use sudo than to use su.
 +
 
 +
 
 +
{{warning|Never run a graphical program with as root or with sudo, it should only be used with command line programs}}
 +
 
 +
 
 +
==Why am I Asked for a Password==
 +
 
 +
Sometimes you will take an action in the terminal or through a GUI application and will get prompted for your password.  This is because the action you are trying to take cannot be completed by you user and requires elevated rights.  Whenever you get a password prompt like this it is important to pause and think if the action you are taking *should* be asking for elevated rights before entering your password.
 +
 
 +
 
 +
{{note|Usually these password prompts will be looking for the password of your normal user account but occasionally they will need the password of the root account}}
 +
 
 +
 
 +
=Changing Passwords=
 +
 
 +
To change the password of the user account you are logged in as you can use the command:
 +
passwd
 +
 
 +
 
 +
To change the password of a different user on the same system you can use sudo:
 +
sudo passwd theusername
 +
 
 +
 
 +
=Groups=
  
 
Users on a Linux system are commonly arranged in groups. A user group is a convenient way of assigning more users access to a common task like sound, media, printing and mounting of removable drives etc.
 
Users on a Linux system are commonly arranged in groups. A user group is a convenient way of assigning more users access to a common task like sound, media, printing and mounting of removable drives etc.
  
A list of available groups can be seen on the system by opening a terminal and executing the command below.
 
  
  $ cat /etc/group
+
A list of the current groups can be seen on the system with the command:
 +
  getent group | awk -F : '{print $1}'
 +
 
 +
 
 +
To see which groups a given user belongs to use the command
 +
groups theusername
 +
 
 +
 
 +
==Primary Groups==
  
Likewise a user can see which groups the user is part of by executing a <code>groups</code> which will display the users groups.
+
A user can be a member of any number of groups but they have only one primary group.  The primary group is the group used when files are created.
  
$ groups
 
  
== Passwords ==
+
=Understanding File Permissions=
  
The most common credential is the password.  
+
At the most basic level, files are designated as '''r'''ead, '''w'''rite or e'''x'''ecute to the '''u'''ser(owner), the '''g'''roup and '''o'''ther.  To understand how this works let's look at a real world example.
  
The best practice for creating passwords is
+
To get the permissions on the file we can use the command {{ic|ls -l}}.
 +
ls -l /etc/fstab
 +
-rw-r--r-- 1 root root 539 Dec 26 23:07 /etc/fstab
  
* Use a combination of '''upper'''- and '''lowercase letters''' mixed with '''digits''' and special characters like '''!#%&'''.
 
* Do not use words which can be found in a dictionary. Dictionary password attacks is a most effective way of breaking passwords.
 
* Ensure your password have a reasonable length of at least 8 characters and preferably more.
 
  
You might think it is easier for you to have the same password for your superuser and root account since you are the only one using the system. You are in charge but be advised that you might weaken your security since you will not know when your system in response to an action to be performed is asking for your superuser pass or your root pass.
+
That first group of letters and dashes indicate the permissions. It is 10 characters long and the dashes indicate a lack of permissions.
  
== Administrative tasks ==
+
* The first character "-", represents the file type, "-" indicates that it is a normal files.
 +
* The next three characters "rw-" indicate the permissions for the user or owner of the file.  In this case reading and writing are allowed but not executing.
 +
* The next three characters "rw-" indicate the permissions for members of the group who owns the file.  In this case reading and writing are allowed but not executing.
 +
* The next three characters "r--" indicate the permissions for other users.  In this case reading is allowed but not writing or executing.
  
Common administrative tasks like installing software, setting up printers, modifying configurations will often require the use of an administrative role.
 
  
On a Manjaro system the first user is created upon installation and that user will by default get assigned to the administrative role of the computer. That implies that the user is able to execute commands prefixed with <code>sudo</code> and upon supplying the users password the tasks can be executed.
+
From more detailed information on how file permissions are broken down take a look at [https://en.wikipedia.org/wiki/File_system_permissions#Traditional_Unix_permissions this Wikipedia article]
  
It is a common perception that '''root = su = superuser''' and that will be correct for most situations.
 
  
However situations exist where the system will ask for your root password and not your superuser password and you have no way of knowing which one is asked for.
+
==Changing File Permissions==
  
You will at times find yourself in a situation where you are absolutely sure you are inputting the correct password and the system refuses to comply and thereby drive you crazy.
+
The command {{ic|chmod}} can be used to change permissions on a file or directory.  It is probably easier to demonstrate than explain.
  
If you make a habit of having different passwords for superuser and root you will just have to switch to the other and the system will comply.
 
  
 +
Add read rights to the user(owner) of the file
 +
chmod u+r filename
  
== Forum ==
 
  
* [https://forum.manjaro.org/t/lightdm-manjaro-cinnamon-17-1-9/46158/26?u=fhdk Lightdm Manjaro Cinnamon 17.1.9]
+
Remove execute rights to members of the group owner of filename
 +
chmod g-x filename
  
  
== Tips ==
+
Set the rights for the other group to read only
 +
chmod o=r filename
  
=== Be alert ===
 
  
* Everything you have on your devices, maybe one day be on the internet.
+
Of course, in normal use you would combine everything like this:
* So, do not put things which you do not want on the internet
+
chmod o+rw,g=r,o-rwx filename
  
=== Firewall ===
 
* Read about firewalls
 
* Read about IPv4 and IPv6, how check which you use, how disable not used
 
* Read how read firewall logs
 
* Read how find open ports
 
* Read how find applications that use the internet and how to block
 
* Read how to find listen to the connections / applications.  Secure passwords should be encrypted
 
* Read how block dangerous websites and access to the router, to protect the system and router against attack from web browser.
 
* Read https://wiki.manjaro.org/index.php?title=Security_%26_Anonymity
 
  
=== Web browser ===
+
This adds read and write to the owner, set the group as read only and remove read, write and execute from other users
* Read what data is disclosed by the web browser
+
* Read about plugins: '''uBlock Origin''' , '''NoScript'''
+
* Read why installing unknown or poor plugins can be dangerous.
+
  
=== E-mail ===
 
* Read how to create aliases for your own mail and why can help you protect against spam or inform about a data leak
 
* Read how how to automatically sort trusted emails
 
* Read how read source code messages and how to see the headers
 
* Read about '''phishing''' and '''punycode phishing attack'''
 
 
=== System processes ===
 
* Read about '''sandbox'''
 
* Read how prevent a fork bomb by limiting user process
 
  
=== Habits ===
+
The chmod command can do a lot more than thatFor more information take a look at [https://en.wikipedia.org/wiki/Chmod Wikipedia's chmod reference]
* Do not use commands if you do not know what they do
+
* Do not enter long commands, but '''copy''' and '''paste'''
+
* Do not use '''root account''' if you don't need.
+
* Do not trust anyone. If you can check, verify.
+
* Read how to build strong passwords
+
* Read about '''two-factor authentication'''
+
* Read about GPG / GnuPG ''( Asymmetric encryption with 2 keys: private and public )''
+
** for example https://wiki.manjaro.org/index.php?title=How-to_verify_GPG_key_of_official_.ISO_images
+
* Read about hash collisions
+
** https://en.wikipedia.org/wiki/Collision_attack
+
** http://valerieaurora.org/hash.html
+
  
=== Files ===
 
* Read why we use '''sgid''' and why it can be dangerous
 
* Read how find files with incorrect permissions and how find files with sgid
 
* Read about '''AIDA''' ''( Advanced Intrusion Detection Enviornment )''
 
* Read what it is '''Access Control Lists'''
 
* Read how to check the changed packages
 
* Read how to check system logs and how to quickly find faults and how create alerts
 
* Update the system systematically if possible, because a lot of attacks already use detected and repaired vulnerabilities.
 
* Read why untested packages from outside the repository can be dangerous
 
* Read why we use programs with a closed source code and why can be dangerous
 
* Read about '''chkrootkit''' and '''rkhunter'''
 
  
=== Developers ===
+
=Firewalls=
* Read about attacks on environmental variables
+
* Read about attack on input files
+
* Read about Validating Sanitizing and Escaping User Data
+
  
 +
The [[Firewalls]] article has a full description of the Firewall solutions available on Manjaro
  
  
 
[[Category:Contents Page]]
 
[[Category:Contents Page]]

Revision as of 02:34, 28 May 2019


Overview

System security is a complicated topic that individuals study for many years. It would be impractical to impart even a fraction of that knowledge in a Wiki article. What this page will attempt to do is provide a primer in the most basic elements of Linux security and identify common pitfalls for beginners


Users

User accounts are used to log into the system and provide one of the basic building blocks for permissions. You could loosely categorize users into a few categories:

  • Regular user accounts like the one created for you during install.
  • Accounts used to run specific processes. These users are often named after the service they run. For example the dbus users is user to run the master dbus process.
  • The root account.


The root account is an administrator or superuser account. This account to everything in the system and be used with extreme care. In most cases, it shouldn't be used at all. Instead use sudo.


sudo

The command sudo lets you run a command as the root user without actually switching to the root user. In many cases this is safer than using the root user directly as only a single command is being run as root. For example, your normal user account would not be able the file /etc/fstab because it is owned by root. However, you can edit it with sudo like this:

sudo nano /etc/fstab


When you run this command, you will be asked for a password, this will be the password of your normal user account. For more information about editing configuration files owned as root see [[Viewing_and_editing_configuration_files|this article on configuration files]


sudo vs su

While sudo and su look similar and both involve root access they are very different. sudo runs a single command as another user and requests the password of your normal user account. su lets you *become* root and requests the password of the root user. In general, it is usually safer to use sudo than to use su.


Warning: Never run a graphical program with as root or with sudo, it should only be used with command line programs


Why am I Asked for a Password

Sometimes you will take an action in the terminal or through a GUI application and will get prompted for your password. This is because the action you are trying to take cannot be completed by you user and requires elevated rights. Whenever you get a password prompt like this it is important to pause and think if the action you are taking *should* be asking for elevated rights before entering your password.


note: Usually these password prompts will be looking for the password of your normal user account but occasionally they will need the password of the root account


Changing Passwords

To change the password of the user account you are logged in as you can use the command:

passwd


To change the password of a different user on the same system you can use sudo:

sudo passwd theusername


Groups

Users on a Linux system are commonly arranged in groups. A user group is a convenient way of assigning more users access to a common task like sound, media, printing and mounting of removable drives etc.


A list of the current groups can be seen on the system with the command:

getent group | awk -F : '{print $1}'


To see which groups a given user belongs to use the command

groups theusername


Primary Groups

A user can be a member of any number of groups but they have only one primary group. The primary group is the group used when files are created.


Understanding File Permissions

At the most basic level, files are designated as read, write or execute to the user(owner), the group and other. To understand how this works let's look at a real world example.

To get the permissions on the file we can use the command ls -l.

ls -l /etc/fstab
-rw-r--r-- 1 root root 539 Dec 26 23:07 /etc/fstab


That first group of letters and dashes indicate the permissions. It is 10 characters long and the dashes indicate a lack of permissions.

  • The first character "-", represents the file type, "-" indicates that it is a normal files.
  • The next three characters "rw-" indicate the permissions for the user or owner of the file. In this case reading and writing are allowed but not executing.
  • The next three characters "rw-" indicate the permissions for members of the group who owns the file. In this case reading and writing are allowed but not executing.
  • The next three characters "r--" indicate the permissions for other users. In this case reading is allowed but not writing or executing.


From more detailed information on how file permissions are broken down take a look at this Wikipedia article


Changing File Permissions

The command chmod can be used to change permissions on a file or directory. It is probably easier to demonstrate than explain.


Add read rights to the user(owner) of the file

chmod u+r filename


Remove execute rights to members of the group owner of filename

chmod g-x filename


Set the rights for the other group to read only

chmod o=r filename


Of course, in normal use you would combine everything like this:

chmod o+rw,g=r,o-rwx filename


This adds read and write to the owner, set the group as read only and remove read, write and execute from other users


The chmod command can do a lot more than that. For more information take a look at Wikipedia's chmod reference


Firewalls

The Firewalls article has a full description of the Firewall solutions available on Manjaro